The attackers behind the TeslaCrypt ransomware, which is one of the newer entries on the scene, may not be making as much money yet as some of their more experienced competitors, but researchers say that their malware is having a profound effect on victims.
Like many other pieces of ransomware, TeslaCrypt often spreads with the help of exploit kits. Attackers will use compromised Web sites as platforms for launching attacks with exploit kits such as Angler or Nuclear. The kits contain exploits for a variety of applications, typically browsers, extensions, and plug-ins such as Flash or Java. Once a machine is compromised through the use of an exploit, the malware will download the ransomware, which then encrypts files on the computer.
CryptoLocker is the most well-known ransomware strain, and TeslaCrypt is considered a variant of CryptoLocker. TeslaCrypt is different in that it goes after files specifically associated with gaming platforms and encrypts them. It first emerged around February of this year, and, like some other ransomware variants, TeslaCrypt expects victims to pay their ransom in Bitcoins most of the time. Researchers at FireEye recently began looking at the money trail to see how much money the attackers behind the scam are making.
What they found is that the TeslaCrypt crew isn’t pulling down the huge piles of cash attributed to the main CryptoLocker strain. TeslaCrypt typically demands between 0.5 and 2.5 Bitcoins for the decryption key or as much as $1,000 in PayPal.
“We tracked the victims’ payments to the cybercriminals—available because the group used bitcoin—and determined that between February and April 2015, the perpetrators extorted $76,522 from 163 victims. This amount may seem trivial compared to millions made annually on other cyber crimes, or the estimated $3 million the perpetrators of CryptoLocker were able to make during nine months in 2013-14. However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims,” Nart Villeneuve of FireEye wrote in an analysis of the TeslaCrypt operation.
The victim total, and hence the money, isn’t very high yet for TeslaCrypt, but that doesn’t mean that the ransomware isn’t taking its toll on victims. In addition to tracking the money victims paid, FireEye also looked at some of the messages exchanged by the attackers and the victims, many of whom have little or no understanding of what’s happened or why. Some of the victims plead with the attackers, saying they don’t have the money to pay for the decryption key, while others say that they could be fired if their employers find out about the ransomware infection. In some cases, the attackers reduce the price for victims, while in others they simply repeat their demands.
“Among the 1,231 TeslaCrypt victims, 263 interacted with the cybercrime group through their messaging system. These messages provide an inside view into the impact on the victims and the mindset of the cybercriminals. The range of emotions from the victims, who have just lost all their files, ranges from anger and bewilderment to a willingness to bargain and desperation,” Villeneuve wrote.
“We anticipate that ransomware will continue to be a growth area for cybercriminals in the next few years. The tools are easy to employ, and even inexperienced intruders can generate a quick profit from Internet users around the world who are desperate to recover their files and pay the ransom.”
Security companies have been working to defeat ransomware variants, and Kaspersky Lab, along with the National High-Tech Crime Unit in the Netherlands, have developed a tool that decrypt the files infected by CoinVault, another ransomware strain. Likewise, Fox-IT and FireEye have a tool that can help decrypt files hit by CryptoLocker.